---
name: cloud-release
on:
  push:
    tags:
    - release/cloud/**
permissions:
  contents: read
env:
  VERSIONS_FILE: "VERSIONS.json"
jobs:
  get-dev-image:
    uses: ./.github/workflows/get_image.yaml
    with:
      image-base-name: "dev_image_with_extras"
  build-release:
    name: Build Release
    runs-on: ubuntu-latest-16-cores
    needs: get-dev-image
    container:
      image: ${{ needs.get-dev-image.outputs.image-with-tag }}
    steps:
    - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3  # v3.5.0
      with:
        fetch-depth: 0
    - name: Add pwd to git safe dir
      run: git config --global --add safe.directory `pwd`
    - name: Use github bazel config
      uses: ./.github/actions/bazelrc
      with:
        download_toplevel: 'true'
        BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}
    - id: gcloud-creds
      uses: ./.github/actions/gcloud_creds
      with:
        SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }}
    - name: Import GPG key
      env:
        BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
      run: |
        echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
    - name: Build & Push Artifacts
      env:
        REF: ${{ github.event.ref }}
        BUILD_NUMBER: ${{ github.run_attempt }}
        JOB_NAME: ${{ github.job }}
        GH_API_KEY: ${{ secrets.GITHUB_TOKEN }}
        COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
        COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
        BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
      shell: bash
      run: |
        export TAG_NAME="${REF#*/tags/}"
        export ARTIFACTS_DIR="$(pwd)/artifacts"
        mkdir -p "${ARTIFACTS_DIR}"
        ./ci/save_version_info.sh
        ./ci/cloud_build_release.sh
    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce  # v3.1.2
      with:
        name: cloud-artifacts
        path: artifacts/
  create-github-release:
    if: ${{ !contains(github.event.ref, '-') }}
    name: Create Release on Github
    runs-on: ubuntu-latest
    needs: build-release
    permissions:
      contents: write
    steps:
    - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3  # v3.5.0
      with:
        fetch-depth: 0
    - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a  # v3.0.2
    - name: Create Release
      env:
        REF: ${{ github.event.ref }}
        GH_TOKEN: ${{ secrets.BUILDBOT_GH_API_TOKEN }}
        OWNER: pixie-io
        REPO: pixie
      shell: bash
      # yamllint disable rule:indentation
      run: |
        export TAG_NAME="${REF#*/tags/}"
        # actions/checkout doesn't get the tag annotation properly.
        git fetch origin tag "${TAG_NAME}" -f
        export changelog="$(git tag -l --format='%(contents)' "${TAG_NAME}")"
        gh release create "${TAG_NAME}" --title "Cloud ${TAG_NAME#release/cloud/}" \
          --notes $'Pixie Cloud Release:\n'"${changelog}"
        gh release upload "${TAG_NAME}" cloud-artifacts/*
      # yamllint enable rule:indentation
